Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'possible security risks' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
possible security risks
Authored by: hayne on Jun 14, '06 08:49:28AM

You should realize that anytime you set up something like this you are opening your system to possible security problems.

It is quite easy to forge the sender's name (or any other part) of an email message. Thus anyone could send you an email that would trigger your script.
Would you feel comfortable double-clicking on a ".torrent" file that some stranger emailed to you? You've set this up so a malicious stranger can send you ".torrent" files and effectively automatically double-click on them!

Note also that it is perhaps possible (in theory - I don't know details of Azureus) for ".torrent" files to contain some other type of file that Azureus would read and recognize as being that other type in spite of the ".torrent" suffix. That might open further security holes.

I would strongly recommend that you incorporate at least some simple security measures in your script. E.g. check on the address the email was sent from as well as the sender's name. Make it so that the script only triggers if the subject line contains some special code word that only you would know. Maybe this code word could depend on the current date or the name of the torrent (e.g. every second letter of the torrent name, followed by the day of the month).



[ Reply to This | # ]
possible security risks
Authored by: robg on Jun 14, '06 09:19:28AM

While there's clearly some risk here, I think it's minimal -- an attacker would have to know (a) what you use for the subject of your email to yourse, and (b) spoof the from address to use your surname.

But as you note, it's simple to add extra protection; even doing something as simple as 'Subject equals Törrént D0wn7oad" would probably suffice.

I don't do much with torrents (occasional Fedora releases), but I like the options that this script enables for remote mail handling.

-rob.



[ Reply to This | # ]